Split-horizon DNS

In computer networking, split-horizon DNS, split-view DNS, split-brain DNS, or split DNS is the facility of a Domain Name System (DNS) implementation to provide different sets of DNS information, selected by, usually, the source address of the DNS request.

This facility can provide a mechanism for security and privacy management by logical or physical separation of DNS information for network-internal access (within an administrative domain, e.g., company) and access from an unsecure, public network (e.g. the Internet).

Implementation of split-horizon DNS can be accomplished with hardware-based separation or by software solutions. Hardware-based implementations run distinct DNS server devices for the desired access granularity within the networks involved. Software solutions use either multiple DNS server processes on the same hardware or special server software with the built-in capability of discriminating access to DNS zone records. The latter is a common feature of many server software implementations of the DNS protocol (cf. Comparison of DNS server software) and is sometimes the implied meaning of the term split-horizon DNS, since all other forms of implementation can be achieved with any DNS server software.

Split-Horizon DNS and DNSSEC

Split-horizon DNS is designed to provide different authoritative answers to an identical query and DNSSEC is used to ensure veracity of data returned by the Domain Name System. These apparently conflicting goals create the potential for confusion or false security alerts in poorly constructed networks. Research has produced recommendations to properly combine these two DNS features.[1]

Use Case

One common use case for Split-horizon DNS is when a server is located internally, but has NAT'ed access from the outside. By using split-horizon DNS the server can be accessed by the same URL no matter which side of the Network the device is being accessed from. This allows for a single DNS server to correctly provide the necessary information for a given URL independent of the user's network location.

Internal View:

@       IN SOA  ns.example.net admin.example.net. (
                                2010010101      ; serial
                                        1D      ; refresh
                                        1H      ; retry
                                        1W      ; expire
                                        3H )    ; minimum
@                       NS      ns.example.net.
ns                      IN      A               10.0.0.2
example.net.            IN      A               10.0.0.1
host1.example.net.      IN      A               10.0.0.10
host2.example.net.      IN      A               10.0.0.20

External View:

@       IN SOA  ns.example.net admin.example.net. (
                                2010010101      ; serial
                                        1D      ; refresh
                                        1H      ; retry
                                        1W      ; expire
                                        3H )    ; minimum
@                       NS      ns.example.net.
ns                      IN      A               172.31.255.11
example.net.            IN      A               172.31.255.1
host1.example.net.      IN      A               172.31.255.10
host2.example.net.      IN      A               172.31.255.20

See also

References

  1. Providing "split horizon" DNS service.
  2. BIND 9 Configure Views To Partition External and Internal DNS Information.
  3. Providing "split horizon" DNS service on OS X Server systems (as of OS X Server version 10.6.2).
  4. Detailed How-to on DNS Views on Bind 9.
This article is issued from Wikipedia - version of the Monday, January 11, 2016. The text is available under the Creative Commons Attribution/Share Alike but additional terms may apply for the media files.